4756N/A * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved. 0N/A * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 0N/A * This code is free software; you can redistribute it and/or modify it 0N/A * under the terms of the GNU General Public License version 2 only, as 2362N/A * published by the Free Software Foundation. Oracle designates this 0N/A * particular file as subject to the "Classpath" exception as provided 2362N/A * by Oracle in the LICENSE file that accompanied this code. 0N/A * This code is distributed in the hope that it will be useful, but WITHOUT 0N/A * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 0N/A * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 0N/A * version 2 for more details (a copy is included in the LICENSE file that 0N/A * accompanied this code). 0N/A * You should have received a copy of the GNU General Public License version 0N/A * 2 along with this work; if not, write to the Free Software Foundation, 0N/A * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 2362N/A * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 2362N/A * or visit www.oracle.com if you need additional information or have any 0N/A * This class represents a reverse builder, which is able to retrieve 0N/A * matching certificates from CertStores and verify a particular certificate 0N/A * against a ReverseState. 0N/A * @author Sean Mullan 0N/A * @author Yassir Elley 0N/A * Initialize the builder with the input parameters. 0N/A * @param params the parameter set used to build a certification path 0N/A // if no initialPolicies are specified by user, set 0N/A // initPolicies to be anyPolicy by default 0N/A * Retrieves all certs from the specified CertStores that satisfy the 0N/A * requirements specified in the parameters and the current 0N/A * PKIX state (name constraints, policy constraints, etc). 0N/A * @param currentState the current state. 0N/A * Must be an instance of <code>ReverseState</code> 0N/A * @param certStores list of CertStores 0N/A * The last certificate could be an EE or a CA certificate 0N/A * (we may be building a partial certification path or 0N/A * establishing trust in a CA). 0N/A * Try the EE certs before the CA certs. It will be more 0N/A * common to build a path to an end entity. 0N/A * Retrieves all end-entity certificates which satisfy constraints 0N/A * and requirements specified in the parameters and PKIX state. 0N/A * Compose a CertSelector to filter out 0N/A * certs which do not satisfy requirements. 0N/A * First, retrieve clone of current target cert constraints, 0N/A * and then add more selection criteria based on current validation state. 0N/A * Match on issuer (subject of previous cert) 0N/A * Match on certificate validity date. 0N/A * Policy processing optimizations 0N/A * If previous cert has a subject key identifier extension, 0N/A * use it to match on authority key identifier extension. 0N/A /*if (currentState.subjKeyId != null) { 0N/A AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension( 0N/A (KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID), 0N/A sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue()); 0N/A /* Retrieve matching certs from CertStores */ 0N/A * Retrieves all CA certificates which satisfy constraints 0N/A * and requirements specified in the parameters and PKIX state. 0N/A * Compose a CertSelector to filter out 0N/A * certs which do not satisfy requirements. 0N/A * Match on issuer (subject of previous cert) 0N/A * Match on certificate validity date. 0N/A * Match on target subject name (checks that current cert's 0N/A * name constraints permit it to certify target). 0N/A * (4 is the integer type for DIRECTORY name). 0N/A * Policy processing optimizations 0N/A * If previous cert has a subject key identifier extension, 0N/A * use it to match on authority key identifier extension. 0N/A /*if (currentState.subjKeyId != null) { 0N/A AuthorityKeyIdentifierExtension authKeyId = new AuthorityKeyIdentifierExtension( 0N/A (KeyIdentifier) currentState.subjKeyId.get(SubjectKeyIdentifierExtension.KEY_ID), 0N/A sel.setAuthorityKeyIdentifier(authKeyId.getExtensionValue()); 0N/A /* Retrieve matching certs from CertStores */ 0N/A /* Sort remaining certs using name constraints */ 0N/A * This inner class compares 2 PKIX certificates according to which 0N/A * should be tried first when building a path to the target. For 0N/A * now, the algorithm is to look at name constraints in each cert and those 0N/A * which constrain the path closer to the target should be 0N/A * ranked higher. Later, we may want to consider other components, 0N/A * such as key identifiers. 0N/A * if either cert certifies the target, always 0N/A * put at head of list. 0N/A (
"Invalid target subject distinguished name");
0N/A * Verifies a matching certificate. 0N/A * This method executes any of the validation steps in the PKIX path validation 0N/A * algorithm which were not satisfied via filtering out non-compliant 0N/A * certificates with certificate matching rules. 0N/A * If the last certificate is being verified (the one whose subject 0N/A * matches the target subject, then the steps in Section 6.1.4 of the 0N/A * Certification Path Validation algorithm are NOT executed, 0N/A * regardless of whether or not the last cert is an end-entity 0N/A * cert or not. This allows callers to certify CA certs as 0N/A * @param cert the certificate to be verified 0N/A * @param currentState the current state against which the cert is verified 0N/A * @param certPathList the certPathList generated thus far 0N/A /* we don't perform any validation of the trusted cert */ 4756N/A // Don't bother to verify untrusted certificate more. 0N/A * check for looping - abort a loop if 0N/A * ((we encounter the same certificate twice) AND 0N/A * ((policyMappingInhibited = true) OR (no policy mapping 0N/A * extensions can be found between the occurences of the same 0N/A * in order to facilitate the check to see if there are 0N/A * any policy mapping extensions found between the occurences 0N/A * of the same certificate, we reverse the certpathlist first 0N/A /* check if target cert */ 0N/A /* check if CA cert */ 0N/A /* if there are more certs to follow, verify certain constraints */ 0N/A /* check if CA cert */ 0N/A /* If the certificate was not self-issued, verify that 0N/A * remainingCerts is greater than zero 585N/A (
"pathLenConstraint violated, path too long",
null,
0N/A * Check keyUsage extension (only if CA cert and not final cert) 0N/A * If final cert, check that it satisfies specified target 0N/A "constraints check failed");
0N/A /* Check name constraints if this is not a self-issued cert */ 0N/A * Check CRITICAL private extensions 2999N/A * Check that the signature algorithm is not disabled. 0N/A * Look at the remaining extensions and remove any ones we have 0N/A * already checked. If there are any left, throw an exception! 0N/A * Verifies whether the input certificate completes the path. 0N/A * This checks whether the cert is the target certificate. 0N/A * @param cert the certificate to test 0N/A * @return a boolean value indicating whether the cert completes the path. 0N/A /** Adds the certificate to the certPathList 0N/A * @param cert the certificate to be added 0N/A * @param certPathList the certification path list 0N/A /** Removes final certificate from the certPathList 0N/A * @param certPathList the certification path list